Hi,
I have 20.1.6 with et pro telemetry plugin. I got the correct token and entered it in IDS rules screen. Then I enabled all rules and activated schedule updates. The other rules do make the auto updates, but not the et pro rules. When I manually press download and update it works fine. Any ideas why it doesn't do auto updates?
Thx
Have you checked the logfile in the Intrusion Detection section?
What does it say?
System: Settings: Cron: Update and reload intrusion detection: Specify minutes, hours, days....
Example:
Minutes: 10
Hours: 7
Day of the month: 1-30
Months: 1-12
Days of the week: 1-7
That looks weird. Is that really what you get via: Services -> Intrusion Detection -> Log File ?
Mine looks like this:
2020-05-21T21:10:37 suricata: [100149] <Notice> -- rule reload complete
2020-05-21T21:10:03 suricata: [100149] <Notice> -- rule reload starting
2020-05-21T20:10:37 suricata: [100149] <Notice> -- rule reload complete
2020-05-21T20:10:03 suricata: [100149] <Notice> -- rule reload starting
Hi,
Log seems fine:
2020-05-21T12:02:12 suricata: [100585] <Notice> -- rule reload complete
2020-05-21T12:00:13 suricata: [100585] <Notice> -- rule reload starting
2020-05-21T09:10:21 suricata: [100585] <Notice> -- rule reload complete
2020-05-21T09:06:20 suricata: [100585] <Notice> -- rule reload starting
2020-05-20T08:40:18 suricata: [100585] <Notice> -- rule reload complete
2020-05-20T08:38:52 suricata: [100585] <Notice> -- rule reload starting
2020-05-19T06:04:20 suricata: [100585] <Notice> -- rule reload complete
2020-05-19T06:03:00 suricata: [100585] <Notice> -- rule reload starting
2020-05-18T06:46:34 suricata: [100585] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
2020-05-18T06:45:10 suricata: [100585] <Warning> -- [ERRCODE: SC_WARN_DEFAULT_WILL_CHANGE(317)] - in 5.0 the default for decoder event stats will go from 'decoder.<proto>.<event>' to 'decoder.event.<proto>.<event>'. See ticket #2225. To suppress this message, set stats.decoder-events-prefix in the yaml.
2020-05-18T06:45:10 suricata: [101384] <Notice> -- This is Suricata version 4.1.8 RELEASE
2020-05-18T06:45:10 suricata: [100167] <Notice> -- Stats for 'bce1+': pkts: 244078, drop: 0 (0.00%), invalid chksum: 0
2020-05-18T06:45:10 suricata: [100167] <Notice> -- Stats for 'bce1': pkts: 344785, drop: 0 (0.00%), invalid chksum: 11
2020-05-18T06:45:09 suricata: [100167] <Notice> -- Signal Received. Stopping engine.
2020-05-18T06:35:37 suricata: [100167] <Notice> -- rule reload complete
2020-05-18T06:34:51 suricata: [100167] <Notice> -- rule reload starting
2020-05-18T06:34:37 suricata: [100167] <Notice> -- rule reload complete
2020-05-18T06:34:16 suricata: [100167] <Notice> -- rule reload starting
2020-05-18T06:34:08 suricata: [100167] <Notice> -- rule reload complete
2020-05-18T06:33:26 suricata: [100167] <Notice> -- rule reload starting
For the cron, I set it for each 6 hours.
The rules are officially updated once a day from Monday to Friday between 6pm and 10pm. Therefore it is sufficient to update them once a day. If it is done more often the log indicates that the rules have been restarted but nothing has really been downloaded or updated. You can see when they are updated at the bottom of the following link:
https://rules.emergingthreats.net/changelogs/
Same with me. I have a fresh OPNSense setup.
IPS Configured, and cron job for rules, and nada, its not updating.
It does look like its working in the logs:
2020-05-26T07:01:25 suricata: [100485] <Notice> -- rule reload complete
2020-05-26T07:01:17 suricata: [100485] <Notice> -- rule reload starting
But if I look at Download tab all the rules havent been updated since the 24th which is when I set it up.
@yeraycito - THANKS!!!!!
I don't see any reason why it started to work, but it did.
I changed the Services: Intrusion Detection: Administration:Schedule from:
Minutes:0,Hours:0/6,Day of the month:*,Months:*,Days of the week:* (what basically says update at 6:00,12:00,18:00,00:00 hours every day)
TO
Minutes:11,Hours:6,Day of the month:1-30,Months:1-12,Days of the week:1-7 (update at 6:11AM each day)
I played with the timing, going back and forward. Each time when I set my initial times it stops the updates, then I update rules manually and set second timer all working fine.
@N0_Klu3: Try first see that when you press "Download&Update Rules" it actually update all your Enabled rules correctly, then change the scheduler to what I wrote before. Give it a day or two to run.
When we entered Services -> Intrusion Detection -> Log File we see this:
2020-05-22T11:10:12 suricata: [100585] <Notice> -- rule reload complete
2020-05-22T11:06:13 suricata: [100585] <Notice> -- rule reload starting
2020-05-21T11:10:21 suricata: [100585] <Notice> -- rule reload complete
2020-05-21T11:06:20 suricata: [100585] <Notice> -- rule reload starting
This means that the rules have been reset, but sometimes new rules will have been downloaded and sometimes not. To know when new rules have been downloaded, you must enter the Opnsense Dashboard and enable the Proofpoint widget (Telemetry status)